SPECIAL OFFER for the first 100 Windows Secrets customers: Get the Productivity Suite for Microsoft Excel for just $89.95 - a savings of $100! The Productivity Suite contains over 75 Excel add-ins that save you time and eliminate errors.
Using coupon code WindowsSecrets to get the great savings! If you are not among the first 100 customers, you will still receive $50 off, a savings of over 25%!

The developers of TrueCrypt, a once highly respected, open-source encryption application, have apparently folded their tents and disappeared.

Left behind are questions and paranoia — and a message that users should migrate to other encryption platforms.

Leading the way to public data encryption

TrueCrypt was first released back in 2004 — well before most other mass-market encryption platforms became mainstream, and certainly long before we became aware that the U.S. National Security Agency (NSA) was trying to tinker with these security apps for its own ends. It was built and has been maintained by an anonymous group of developers known simply as the TrueCrypt team. According to Wikipedia, the TrueCrypt moniker is “registered in the Czech Republic under the name “David Tesařík.”

TrueCrypt’s developers based their new encryption software on E4M (Encryption for the Masses) — code that was, according to a February 2004 usenet thread, stolen from security company SecurStar by ex-employee and E4M author Paul Le Roux. That dispute effectively shut down TrueCrypt distribution for several months.

TrueCrypt 2.0 was released in June 2004 and updated off and on until 2012. But then there were no new releases the following two years — a fact noted by several Windows Secrets readers who expressed concern that their favorite encryption software did not officially support Windows 8 or 8.1; nor did it support computers equipped with a Unified Extensible Firmware Interface BIOS. These enhancements were reportedly promised but never delivered.

One of the fundamental concepts of open-source software is that it can be audited for security flaws by any competent developer — not just by its authors. With millions of active TrueCrypt users, there was, not surprisingly, growing concern over the software’s lack of updates and the resulting possibility of new vulnerabilities.

That led to the creation of the not-for-profit Open Crypto Audit Project (OCAP; site), tasked primarily to conduct an external security audit of TrueCrypt’s code. The project would be funded via crowdsourcing, and various programming and security experts would volunteer their time.

Last April 14, OCAP completed its Phase I Audit Report (PDF download). The report found relatively minor problems with TrueCrypt’s code but no evidence of back doors or malicious code. OCAP reportedly will begin a Phase II audit this month.

TrueCrypt’s run comes to an unexpected end

May 28 brought shocking news for all current and would-be TrueCrypt users. A “new” Version 7.2 was released, along with an announcement that the project had been discontinued. Those going to the truecrypt.org site are now redirected to a SourceForge download page, where they’ll find a blazing announcement that TrueCrypt might contain unfixed security issues and is thus not secure (see Figure 1).

Figure 1. Visitors to truecrypt.org are redirected to a SourceForge page that displays this warning.

The site recommends that Windows and Apple users migrate their encrypted data to native-OS applications (Microsoft’s BitLocker in the case of Windows users). It advises Linux users to “Use any integrated support for encryption. Search available installation packages for [the] words encryption and crypt, install any of the packages found, and follow its documentation.”

Rumors were soon flying that the site was a hoax or had been hacked. There was also speculation that it was an elaborate form of warrant canary (more info), a security device used to inform your clients that you’ve been served with a law-enforcement warrant. These warrants may specify that those served can’t notify anyone else. The warrant canary is a sort of inverse notification: you regularly inform your customers, typically via a posting on your website, that you’ve not been served. Removing the notification tells all interested parties that you have been served.

However, in the case of TrueCrypt, none of these theories made sense — or was in any way supported by the facts. SourceForge, a highly respected software download site, found no signs of tampering. And no one has taken credit for creating a hoax page. The SourceForge notification also didn’t act like a warrant canary.

In fact, the only real consequence of the notification was to destroy trust in an application millions have relied on for years to secure their data. In the days following the announcement, numerous sources contacted the elusive TrueCrypt Team members for clarification. The response simply confirmed what had been posted on SourceForge: there would be no further development of TrueCrypt — the project had effectively been shut down and abandoned.

Is ‘In open-source we trust’ a myth?

I was among the many TrueCrypt users who became concerned about the lack of updates. Malware evolves rapidly, and security software must always stay a step ahead of it. That TrueCrypt’s developers were unknown made me only more uncomfortable.

Also, TrueCrypt was completely free; it had no obvious revenue stream to buttress its long-term development and support — a fact especially worrisome for business applications. Software is rarely free; it might be “free for personal use” and supported by paid business versions, or it could be a sideline hobby for its author. But with a sophisticated product such as TrueCrypt, those tasked with maintaining it ultimately have to keep food on the table.

If you think about it, it’s a mystery that we gave TrueCrypt such an extraordinary level of trust. Again, it had dubious legal foundations, its developers were unknown, and its support was primarily relegated to forums that are now missing. Those forums included person-to-person, cryptologic information that might be lost forever.

Moreover, we’ve often been told that we can trust open-source software. “Many eyes make all bugs shallow” is a saying that, in theory, embodies the advantages of open-source development. But TrueCrypt’s demise, along with the other recent open-source security implosion — OpenSSL — suggests that our trust in the open-source process can be misplaced; there might not be those “many eyes” at work.

For example, in the case of OpenSSL, it was basically one person authoring and another reviewing the code. As Brad Kovach points out in his blog, we build much of the Web on open-source software, often relying on volunteers to build and secure the code. As Blanche DuBois declares in A Streetcar Named Desire, “I have always depended on the kindness of strangers.” I’m doubtful that’s the best policy for software such as TrueCrypt — or for Internet security.

There’s even debate whether TrueCrypt qualifies as open-source. There are basically two ways to develop, release, and support software. The source code for the commercial software you purchase is typically closed; its structure is never publicly released. The obvious example is Windows and most other software Microsoft sells. We use the software, but we don’t know exactly how it’s built. (What we know is usually revealed by coders who have reverse-engineered the code.)

Open-source software should be completely transparent. For a specific open-source project — variations of Linux, for example — each developer posts his code to the project servers so that another developer can modify it to make it better. That developer then posts his changes back to the project servers, where other developers can build on that foundation. According to the Open Source Initiative (site), a specific license must be attached to any open-source software release — typically under the GPL v2 or GPL v3 licenses.

Reportedly, TrueCrypt never included a standard open-source license. Its code was never thoroughly audited until now. And yet we trusted it to encrypt and secure our systems. Why? In large part because it was free and it worked. (Despite repeated attempts, TrueCrypt was never publicly cracked.) Effectively, its huge number of users became both the product testers and marketers. Windows Secrets contributors have, on occasion, discussed and recommended TrueCrypt.

I think we’ve all received a wakeup call. We might need to step back and question the source of our open-source software — and in the future, review its pedigree before installing it.

Protecting our sensitive data in the future

As a first step toward protecting sensitive data, you should follow the posted advice to “Search available installation packages for [the] words encryption and crypt, install any of the packages found, and follow its documentation.” Fellow Windows Secrets contributor Lincoln Spector is working on a follow-up article about replacement encryption software. And Fred Langa wrote about using 7-Zip to protect critical files in his May 15 Top Story, “Better data and boot security for Windows PCs.”

But the product at the top of my short list is BitLocker. It’s included with Windows 8 and 8.1 plus the Business and Ultimate versions of Windows 7. I’ve also used Symantec Encryption Desktop Professional (site), a product that doesn’t require all systems to have TPM chips (more info). Unfortunately, Symantec’s product starts at U.S. $215, and neither solution is cross-platform (Mac and Linux).

As reported on the Gibson Research site, TrueCrypt isn’t destined for the grave. There are just too many TrueCrypt supporters. The Linux Foundation and the Open Crypto Audit Project announced that they’ll bring back TrueCrypt in a process called “forking the code.” The new authors will restructure the software, provide a new license, and eventually release the product under a new name.

My recommendation to current TrueCrypt users? Don’t panic! But also don’t deploy any new versions of TrueCrypt; simply maintain what you have. Based on the OCAP audit, TrueCrypt does not have any back doors and still provides secure encryption that can’t be easily cracked.

By “easily,” I mean that the password can’t be stolen from your machine’s memory when the system is turned off. With most encryption software (including BitLocker), a user’s private encryption key can be extracted from RAM memory if the machine is running or in sleep mode, as noted in a Feb. 7, 2013, Top Story, “Legitimate app breaks popular encryption systems.” But in order to do this, the attacker must be physically present and chances are your system is owned already.

That said, I’ll return to my main point. Should we trust any free software from unknown sources? Free is rarely “free.” As noted above, it might be supported by paid business editions, advertising, unwanted software downloads, or limited support. In the case of TrueCrypt, it appears the price was paid with a lack of long-term support and planning.

Vendor-proofing your personal-computing system

The virtual death of TrueCrypt is echoed by the recent closing of cloud-storage service Norton Zone. As reported in a Techday story, Symantec is giving Norton Zone customers 60 days to move files out of the service. The report states, “After August 6, 2014, all files and related data, like file names, will be permanently deleted from the service, and neither the users nor Symantec will be able to access them.” The files you trusted to that service could be in limbo while you scramble to move data to other local or cloud locations.

As discussed in a recent article in a Network World story, you need to plan for the possibility that your cloud-storage vendor will shut down.

The TrueCrypt saga highlights the importance of having a Plan B for all our important computing services. For example, if your business has its website with a hosting service, what will you do if that service fails? You need to keep a list of alternative vendors and a plan to migrate your data quickly, if needed.

Also, review the health of any company you depend on. Is it sufficiently funded for longevity? The lack of TrueCrypt releases over two years should have been a warning that something was amiss. It’s a lesson for us all, and one we should apply to all software and services we rely on.

The life and untimely demise of TrueCrypt

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

Get the best out of Windows 7! This special package covers the sometimes confusing task of installing, optimizing, troubleshooting, and effectively using Windows 7. No matter what your skill level, you’ll find that this 150 page collection will save you time and money — and relieves a good bit of the stress that comes with maintaining your system. Get your Windows 7 ebooks collection today!

We are proud to announce that we recently completed the Windows 8 e-books collection with our latest addition - Windows 8 Guide, Volume 3: Moving up to Win8.1 and Win8 Maintenance. These 3 guides now provide you with all the key information you’ll need to smoothly transition to Microsoft’s new OS.

Lounge member Protopia recently analyzed the difficulties he’d experienced with DNS lookup errors as he browsed the Web.

And then he set out his findings and solutions in an admirably clear step-by-step procedure in the General Windows forum. Other Lounge members have been thanking Protopia for the offering. You might, too.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right into today’s discussions in the Lounge.

The Lounge Life column is a digest of the best of the WS Lounge discussion board. Kathleen Atkins is Associate Editor of Windows Secrets.

From time to time, we revisit Henri, the feline philosopher, to hear what’s been annoying him lately.

He’s no fonder of the White Imbecile than he’s ever been, but this spring Henri finds his housemate’s catnip-fiend existence tragic. Do we hear Henri expressing sympathy? Maybe not. Henri notes other indignities to which domestic cats are prey. Perhaps Henri feels solidarity after all. You be the judge. Click below or go to the original YouTube video.

Defeating BIOS-level, pre-boot passwords

After reading the May 14 Top Story, “Better data and boot security for Windows PCs,” reader Frederick Barrow wrote this:

“Fred: As I recall, you addressed BIOS-level passwords years ago. And at that time, I implemented one. But one day, the techie at my local PC shop said he could defeat the password by removing the on-board battery. I assume that removing the battery would reset the BIOS to default settings — sans passwords. Was he correct?

Yes, most BIOS-controlled passwords can be bypassed by resetting the BIOS. That’s why I discussed a second type of password security in that article. Used together, the two methods are far better than either one alone.

(Note: For this story, BIOS is shorthand for both classic BIOSes and the newer Unified Extensible Firmware Interface [UEFI] system-boot firmware. UEFI PCs can be more resistant to tampering, depending on system design.)

Windows 8’s Task Manager offers more power, features, and functions than any of its predecessors.

Possibly more impressive: common tasks such as finding and terminating malfunctioning applications are easier than ever.

Almost a one-stop Windows maintenance shop

A key troubleshooting tool in Vista and Win7, Task Manager is even more useful for solving Win8 operation and performance problems. It also has a new look that’s easier to work with.

For Win8’s Task Manager, Microsoft consolidated numerous tools that are scattered throughout Vista and Win7. For example, key functions of the Management Console (MMC), the System Configuration tool (MSConfig), and the Resource Monitor (ResMon) are now at your fingertips, inside the revamped Task Manager.

Win8’s Task Manager even borrows some good ideas from third-party diagnostic tools. For instance, there’s a built-in startup analyzer that lets you see and control what’s slowing down your system-boot process.

What follows is a visual tour of the new Task Manager. If you’re running Win8, open your copy of Task Manager and work along with the examples shown below. At the end of the article, you’ll have a good sense of what’s in Task Manager and how the major pieces function.

If you’re not running Win8, the following text will give you a glimpse of what’s coming when you eventually upgrade to Win8 or its successor.

June’s security updates are officially the last for Win8.1. Many of the following updates have separate patches for those who have not moved to Win8.1 Update.

Plus: There’s a new variant of the infamous CryptoLocker: CryptoWall exploits Microsoft’s Silverlight.

MS14-035 (2957689, 2963950)

June’s Internet Explorer update is a doozy

The two patches in MS14-035 fix a whopping 59 IE vulnerabilities. Two of them were publicly disclosed; the other 57 were revealed during investigations of other “in the wild” exploits. XP users should keep in mind that they won’t receive this critical update. (The patches are rated important on servers.)

Windows 8.1 machines that do not have KB 2919355 installed will receive only KB 2963950, if they’re behind a corporate patching platform — as will IE 11/Win7 systems that do not have KB 2929437, an April cumulative IE update. (Note that neither patch is offered via the Microsoft Download Center.)

What to do: Install either KB 2957689 or KB 2963950 (MS14-035) when offered.

Uninstall to protect from CryptoWall

A headline on an Internet Storm Center forums page caught my attention. It notes that even though the threat of CryptoLocker has faded, a variant called CryptoWall is alive and kicking. It’s using Flash, Java, and Microsoft’s Silverlight to sneak into computers.

Susan Bradley is a Small Business Server and Security
MVP, a title
awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last week of December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our
free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside
party, ever.
2. We will never send you any unrequested e-mail, besides
newsletter updates.
3. All unsubscribe requests are honored immediately, period.
Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe
from the Windows Secrets Newsletter,

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.